Barclays Hacks Its Own Systems to Find Holes Before Criminals Do

(Bloomberg) -- Barclays is hacking its own computer systems to stay a step ahead of the criminals.

Troels Oerting, who joined as chief information security officer in February, set up a so-called red team in recent weeks to attack the digital defenses of the London-based bank. His goal is to find any flaws and fix them before thieves, vandals or terrorists can exploit them.

“We emulate how criminals will try to get into the bank,” said Oerting, the former head of Europol’s European Cybercrime Center. “Then the red unit will do the same work, testing our ability to detect, to prevent, to resist.”

Oerting, a 35-year law-enforcement veteran, is part of a corps of former policemen and spies entering private industry to fend off a barrage of cyberattacks on businesses. More banks are building in-house teams that “operate and think like cybercriminals” as hackers become increasingly sophisticated, said Sergey Lozhkin, a security researcher at Moscow-based Kaspersky Lab, which has worked on investigations with Interpol and Europol.

The consequences of failure can be painful, as in the release last month of user accounts stolen from AshleyMadison.com, a website that urges clients to commit adultery. Hackers reached deep into the infrastructure of JPMorgan Chase last year, stealing names, addresses and e- mail addresses of 83 million people and small businesses, just months after the New York-based bank pledged to spend a quarter- billion dollars a year on cyber security.

Staying ahead of the bad guys requires resources, expertise and vigilance, and even that isn’t always enough.

“They improve the ways to get in all the time,” said Oerting, 58. “The reality is that there are actually more cases than you read in the press.”

Barclays is boosting spending by about 20% as part of its new cyber-defense strategy, Oerting said, declining to elaborate.

Cyber risk is viewed as a key concern by almost a third of banks in the U.K., a survey by the Bank of England found in July. Two years ago, only 1% of those surveyed considered cyber attack a major risk. HSBC Holdings, Lloyds Banking Group and Royal Bank of Scotland Group declined to discuss their efforts to fight computer crime.

Oerting’s new team of internal hackers, which will number as many as eight, joins the bank’s staff of 800 information technology security personnel.

Its efforts coincide with a Bank of England push to spot vulnerabilities at the 35 financial firms deemed critical to the U.K. economy. In that program, dubbed CBEST, security specialists monitor hackers’ tactics and use them to mimic real attacks. Five firms had concluded the program as of July, including Barclays and Lloyds.

“Cyber criminals are now looking for the responsible individuals inside banks who control many millions of pounds,” said James Chappell, co-founder and chief technology officer of Digital Shadows, a cyber-security company working with the BOE. “Then a single high-value fraud is committed.”

As hackers become more sophisticated, banks are seeking ways to lessen the impact of attacks, said Paul Hampton, a payments security expert at Amsterdam-based Gemalto NV.

“Banks accept that breaches are going to happen and rather than reinforcing the perimeter security they’re making sure data stolen won’t be usable,” he said.

Like Barclays, competitors are tapping top law enforcement and counter-terrorism officials to bolster digital security and compliance. In April, Standard Chartered Plc hired Iain Lobban, the former director of GCHQ, the surveillance arm of Britain’s intelligence agencies, as a senior adviser to the financial crime risk committee of the bank’s board.

JPMorgan hired former U.S. Army Chief of Staff Ray Odierno to advise the bank on issues including international risks and cyber security. Patrick Burton, a London-based spokesman for JPMorgan, declined to comment on its cyber-security operation.

“We want to keep our employees and our customers safe,” said Oerting. “This is why it’s so important that we assess the threats, the controls and see if we have any gaps.”

Culture is pivotal because it plays a key role in determining how firms make decisions to achieve their business objectives. Culture is at the heart of competitive advantage today; this is particularly the case for investment firms where people and their judgments are the chief assets. A firm’s culture creates the context and incentive structure to support an investment process based on a longer time horizon, a collaborative team approach that can integrate diverse insights and robust risk management. Culture also underpins business decisions, including talent management, strategy and capacity management. A strong culture in investment management firms is a requirement for sustainable alpha-generation.